Analysis
-
max time kernel
542s -
max time network
159s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
27-11-2020 08:23
General
-
Target
1_4_3.xls
-
Size
270KB
-
MD5
890522e2846bc9ae0ee808db164ccdb5
-
SHA1
36b93a892a6f57abec6c40268ff9101ac45a0ca8
-
SHA256
a612370e45b7c1121a2ab805c05e67722070d4a9d553d4f1dfb1ddb6f1073567
-
SHA512
0d1241bf55d42513d11fdbff65a427c47a85db18185dcee3bbb9a1b9abf6c9cb4763d92812550cd59817e62744fd0ec955067a4a15925f0293ad36176d6c385d
Malware Config
Extracted
trickbot
1000508
yas31
164.132.255.19:443
188.119.113.114:443
176.119.159.147:443
51.254.164.243:443
178.156.202.251:443
185.234.72.24:443
194.5.250.52:443
217.12.209.244:443
185.99.2.123:443
185.198.57.75:443
93.189.42.81:443
148.251.185.186:443
79.137.101.2:443
51.89.115.121:443
91.200.100.84:443
194.5.250.69:443
185.14.30.45:443
185.99.2.142:443
107.175.133.162:443
5.196.247.14:443
190.214.13.2:449
181.129.104.139:449
181.112.157.42:449
181.129.134.18:449
131.161.253.190:449
121.100.19.18:449
202.29.215.114:449
171.100.142.238:449
190.136.178.52:449
45.6.16.68:449
110.232.76.39:449
122.50.6.122:449
103.12.161.194:449
36.91.45.10:449
103.227.147.82:449
96.9.77.56:449
103.5.231.188:449
110.93.15.98:449
200.171.101.169:449
-
autorunName:pwgrab
Signatures
-
Dave packer 1 IoCs
Detects executable packed with a packer named 'Dave' from the community, due to a string at the end of it.
Processes:
resource yara_rule behavioral1/memory/808-6-0x0000000000340000-0x0000000000372000-memory.dmp dave -
Executes dropped EXE 1 IoCs
Processes:
zvkFulz.exepid process 808 zvkFulz.exe -
Loads dropped DLL 1 IoCs
Processes:
EXCEL.EXEpid process 596 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 596 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
zvkFulz.exepid process 808 zvkFulz.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
wermgr.exeEXCEL.EXEdescription pid process Token: SeDebugPrivilege 1828 wermgr.exe Token: SeDebugPrivilege 1828 wermgr.exe Token: SeShutdownPrivilege 596 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 596 EXCEL.EXE 596 EXCEL.EXE 596 EXCEL.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
EXCEL.EXEzvkFulz.exedescription pid process target process PID 596 wrote to memory of 808 596 EXCEL.EXE zvkFulz.exe PID 596 wrote to memory of 808 596 EXCEL.EXE zvkFulz.exe PID 596 wrote to memory of 808 596 EXCEL.EXE zvkFulz.exe PID 596 wrote to memory of 808 596 EXCEL.EXE zvkFulz.exe PID 808 wrote to memory of 1828 808 zvkFulz.exe wermgr.exe PID 808 wrote to memory of 1828 808 zvkFulz.exe wermgr.exe PID 808 wrote to memory of 1828 808 zvkFulz.exe wermgr.exe PID 808 wrote to memory of 1828 808 zvkFulz.exe wermgr.exe PID 808 wrote to memory of 1828 808 zvkFulz.exe wermgr.exe PID 808 wrote to memory of 1828 808 zvkFulz.exe wermgr.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\1_4_3.xls1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\zvkFulz.exe"C:\ProgramData\zvkFulz.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\zvkFulz.exeMD5
cd3e6b9583fa81d40e9c1125a46907fd
SHA196510db0fbeba68298e826b73cd346820a2f1f4f
SHA2565339c69e454274e349d0255b4351e8af03d87410184b65703c35045972119268
SHA512f3c85708716a09bfd661e8b0ff6adeda612aab0243cee00c052e31bc9b29297e6eab178aa8e0ce5322568625069dd0cbd7e2a53e0d3f35a9ab94c5ff355d9550
-
C:\ProgramData\zvkFulz.exeMD5
cd3e6b9583fa81d40e9c1125a46907fd
SHA196510db0fbeba68298e826b73cd346820a2f1f4f
SHA2565339c69e454274e349d0255b4351e8af03d87410184b65703c35045972119268
SHA512f3c85708716a09bfd661e8b0ff6adeda612aab0243cee00c052e31bc9b29297e6eab178aa8e0ce5322568625069dd0cbd7e2a53e0d3f35a9ab94c5ff355d9550
-
\ProgramData\zvkFulz.exeMD5
cd3e6b9583fa81d40e9c1125a46907fd
SHA196510db0fbeba68298e826b73cd346820a2f1f4f
SHA2565339c69e454274e349d0255b4351e8af03d87410184b65703c35045972119268
SHA512f3c85708716a09bfd661e8b0ff6adeda612aab0243cee00c052e31bc9b29297e6eab178aa8e0ce5322568625069dd0cbd7e2a53e0d3f35a9ab94c5ff355d9550
-
memory/596-8-0x0000000000550000-0x0000000000551000-memory.dmpFilesize
4KB
-
memory/808-4-0x0000000000000000-mapping.dmp
-
memory/808-7-0x00000000003B0000-0x00000000003DF000-memory.dmpFilesize
188KB
-
memory/808-6-0x0000000000340000-0x0000000000372000-memory.dmpFilesize
200KB
-
memory/1356-2-0x000007FEF6010000-0x000007FEF628A000-memory.dmpFilesize
2.5MB
-
memory/1828-9-0x0000000000000000-mapping.dmp